Data privacy laws in Canada
There are various provincial and federal regulations applicable to different entities
Ayottaz can help you become PIPEDA compliant
Learn how we can help
Understand if your business is impacted by Canadian Privacy Laws
There are a number of laws in Canada that relate to privacy rights, and there are various government organizations and agencies responsible for overseeing compliance with these laws.
Several factors determine which laws apply and who oversees them. Among them:
The nature of the organization handling the personal information
Is it a federal government institution?
Is it a provincial or territorial government institution?
Is it private sector?
Is it engaged in commercial activities?
Is it a federally regulated business?
Where is the organization based?
What type of information is involved?
Does the information cross provincial or national borders
Federal privacy laws and what they cover
Canada has two federal privacy laws that are enforced by the Office of the Privacy Commissioner of Canada:
- the Privacy Act, which covers how the federal government handles personal information;
- the Personal Information Protection and Electronic Documents Act (PIPEDA), which covers how businesses handle personal information
Who does Personal Information Protection and Electronic Documents Act (PIPEDA) apply to?
PIPEDA generally applies to personal information held by private sector organizations that are not federally-regulated, and conduct business in:
- Manitoba
- New Brunswick
- Newfoundland and Labrador
- Northwest Territories
- Nova Scotia
- Nunavut
- Ontario
- Prince Edward Island
- Saskatchewan
- Yukon
Unless the personal information crosses provincial or national borders, PIPEDA does not apply to organizations that operate entirely within:
- Alberta
- British Columbia
- Quebec.
These three provinces have general private-sector laws that have been deemed substantially similar to PIPEDA.
The definition of personal information differs somewhat under PIPEDA or the Privacy Act but generally, it can mean information about your:
- race, national or ethnic origin,
- religion,
- age, marital status,
- medical, education or employment history,
- financial information,
- DNA,
- identifying numbers such as your social insurance number, or driver’s licence,
- views or opinions about you as an employee
- Information that is not about an individual, because the connection with a person is too weak or far-removed (for example, a postal code on its own which covers a wide area with many homes)
- Information about an organization such as a business.
- Information that has been rendered anonymous, as long as it is not possible to link that data back to an identifiable person
- Certain information about public servants such as their name, position and title
- A person’s business contact information that an organization collects, uses or discloses for the sole purpose of communicating with that person in relation to their employment, business or profession.
- Government information. Occasionally people contact us for access to government information. This is different from personal information. For access to government information, contact the Information Commissioner of Canada
What are the penalties under PIPEDA?
PIPEDA is a relatively easy piece of legislation to follow, but the fines for not doing so are quite steep. If an organization is found to be knowingly in breach of PIPEDA requirements, they can be fined up to $100,000 for each violation.
Organizations having personal information under its control must, without unreasonable delay, provide notice to the Commissioner of any incident involving the loss of or unauthorized access to or disclosure of personal information where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result.
CAD 100,000
Ayottaz can simplify your PIPEDA compliance journey
There’s no ‘one size fits all” approach to preparing for PIPEDA and other Canadian Privacy Laws. Rather, each business needs to know exactly what needs to be achieved to comply and who is the data controller who has taken responsibility for ensuring it happens. You are expected to put into place comprehensive but proportionate governance measures.
That could be the responsibility of an individual in a small business, or even a whole department in a multinational corporation. Either way, budgets, systems and personnel will all need to be considered to make it work.
Under Canadian Privacy Law provisions, companies need to implement appropriate technical and organisational measures. This could include data protection provisions (staff training, internal audits of processing activities, and reviews of HR policies), technical updations, mapping of your data as well as continuing documentation on processing activities.
Connect with us now for your initial PIPEDA consultation
Currently, nearly all of the information and marketing material available regarding data privacy emphasizes technical expertise and the requirements of experts in order to manage compliance. All of this seems extremely daunting to a small to medium-sized business that lacks the resources to onboard such resources. Ayottaz acts as an unbiased interface between enterprises and service providers. We are in the unique position to assure quality products and services to enterprises without any allegiance to a particular product or service. Getting the first mover’s advantage and using the platform to build long-lasting relationships with our customers will help us stay ahead of the competition in the future.
